Profile Applicability:
Level 2
Description:
Google Kubernetes Engine (GKE) clusters should not use the default Compute Engine service account, as it provides broad permissions that may pose security risks. Instead, it is recommended to configure GKE clusters to use a custom service account with the least required permissions for Kubernetes workloads.
Rationale:
Principle of Least Privilege: Using the Compute Engine default service account grants excessive permissions that are not necessary for the GKE cluster's operation. Custom service accounts limit access to only the required resources and actions.
Improved Security: A custom service account with tightly controlled permissions reduces the risk of unauthorized access or privilege escalation within the Kubernetes environment.
Compliance: Many compliance frameworks require the implementation of least-privilege access controls and the restriction of broad permissions.
Impact:
Security: Using a custom service account enhances security by limiting the permissions granted to the GKE cluster.
Operational: Configuring a custom service account may require changes to IAM roles and policies, which may introduce additional administrative overhead.
Compatibility: Some workloads may require specific permissions, so proper role assignment to the custom service account is essential.
Default Value:
By default, GKE clusters are created using the Compute Engine default service account, which has full access to Google Cloud resources.
Audit Steps:
Using Google Cloud Console:
Navigate to GKE Clusters: Go to Kubernetes Engine > Clusters in Google Cloud Console.
Verify Service Account Configuration:
Select the cluster and click on Edit.
In the Node Pools section, ensure that the Service Account used by the node pool is not the Compute Engine default service account.
Repeat for All Clusters: Ensure that no other GKE clusters are using the default service account.
Using Google Cloud CLI:
List GKE Clusters:
Check Service Account for a Cluster:
For each GKE cluster, run:Ensure that the service account used by the GKE cluster is not the default service account (
[PROJECT_NUMBER]-compute@developer.gserviceaccount.com).
Remediation Steps:
Using Google Cloud Console:
Navigate to GKE Clusters: Go to Kubernetes Engine > Clusters.
Edit Cluster Node Pool:
Select the cluster and click Edit.
In the Node Pools section, select a custom service account for the Service Account field (do not use the default service account).
Save Changes: Click Save to apply the changes.
Using Google Cloud CLI:
Create or Update the Cluster to Use a Custom Service Account:
To create a new GKE cluster with a custom service account:To update an existing GKE cluster's node pool:
Assign Appropriate Roles to the Custom Service Account:
Ensure that the custom service account has the necessary roles for the GKE nodes. For example:
Backout Plan:
Revert to the Default Service Account:
If you need to revert to using the default service account, use the following command:Where
[DEFAULT_SERVICE_ACCOUNT]is the default Compute Engine service account ([PROJECT_NUMBER]-compute@developer.gserviceaccount.com).
Verify the Change:
After reverting, run thedescribecommand again to ensure the service account has been restored to the default:Test Cluster Operation:
Ensure that the cluster is operational and workloads are correctly running after the change.
Notify Stakeholders:
Inform relevant teams about the backout and any operational impact it may have.
References:
CIS Controls:
Control | Description | IG 1 | IG 2 | IG 3 |
|---|---|---|---|---|
5.1 | Ensure Secure Configurations | ✅ | ✅ | ✅ |
16.5 | Centralize and Manage Access | ✅ | ✅ | ✅ |